A computer network (or, simply, a network) is two or more interconnected computing devices that provide voice and/or data processing. The term “network boundary” refers to a logical boundary between a network and the computing devices that are outside of the network. Various network access schemes exist to control access to a network boundary. One scheme for controlling network access involves the use of three network entities: an access requestor (AR), a policy enforcement point (PEP), and a policy decision point.
An access requestor is an entity that seeks access to a network (e.g., to a protected network). The access requestor typically includes the software, hardware, and/or firmware necessary to negotiate a connection to the network. Almost any computing device capable of negotiating a connection to a network may be an access requestor including, for example, a personal computer or a server.
A policy enforcement point is an entity that enforces the access decisions of the policy decision point. The policy enforcement point may also engage in an authentication/authorization process with the access requestor and forward the results of the authentication/authorization process to the policy decision point. A policy enforcement point is typically implemented in, for example, a switch, a firewall, and/or a Virtual Private Network (VPN) gateway.
A policy decision point is a network entity that decides whether to grant network access rights to an access requestor. The policy decision point typically grants or denies network access based, at least in part, on a network access enforcement policy (or simply, enforcement policy). In conventional networks, the policy decision point is typically implemented in a server coupled with the policy enforcement point.
The conventional approach to controlling access to a network can be described as a single-switch (e.g., single policy enforcement point) approach. That is, a single switch is used to allow or to block network traffic (e.g., all traffic or a subset of the traffic) from an access requestor. This single switch (e.g., a policy enforcement point) typically defines the edge of the network boundary.
The conventional approach to controlling network access has a number of limitations. One limitation is that the conventional approach does not enable the trusted capabilities that may be associated with an access requester to play a role in controlling access to a network. That is, the conventional approach relies on the capabilities of a single switch at the boundary of a network to control access to a network regardless of the capabilities of the access requestor.